When it comes to BCP38, it's easier said than done. If you have a small network with a handful of IP space, BCP38 is easy to implement. Nothing hard about a filter which drops all traffic if the source address isn't from your allocated network pool. So if every "end user" implemented BCP38, the world would be a better place.
On the ISP front, it's a completely different story. They aren't the end user, they are the transit provider. All of their customers have either space provided by the ISP as well as direct RIR allocates or allocations from other ISPs. The man hours involved in keeping such a filter updated are enormous and expensive. So when folks point fingers at ISPs to be the anti-spoofing police, I'd say, "don't hold your breath". On that note, there is a developing certification process which could automate the verification of who owns what address space so that BCP38 by ISPs becomes a more viable solution. That process is called Resource Public Key Infrastructure (RPKI). ( https://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure) RPKI allows for a type of identification saying, "Only I can originate this network space". This would allow ISPs to better implement BCP38, because they would no longer have to do a manual validation check to see if 93.186.32.0/20 was really allocated to rfc1035.net. In any case, spoofing is only a part of the battle against DDoS Attacks. Compromised web servers waiting for instructions on what target address to hit aren't thwarted by BCP38 (See: Brobot - Operation Ababil). It's more likely that you can get folks to fix NTP Monlist config issues than a zillion end users and providers to implement anti-spoofing measures. So far there has been a decline in open NTP servers answering monlist queries from 1.5/million to 500,000 over the last few months. Reducing the pool of servers that can be used for malicious intent is likely to have a much more immediate effect than calls for ISPs and end users to police address origination of every packet. NOTES: http://www.nanog.org/sites/default/files/wednesday.general-lt.gilmore.ntpreflection.pdf Date Responding Servers ======================= 1-10-2014: 1,529,866 1-17-2014: 1,402,569 1-24-2014: 803,156 1-31-2014: 564,027 2-07-2014: 490.724 On Fri, Feb 21, 2014 at 8:27 PM, Sanjeev Gupta <[email protected]> wrote: > On Fri, Feb 21, 2014 at 6:15 PM, Jim Reid <[email protected]> wrote: > > > Your ISP should be deploying source address filtering/validation at their > > edge routers. Though they probably don't: good luck getting them to > change. > > > _Their_ ISP needs to do this, not yours. Your ISP sees a valid destination > address (yours), and a valid source address (the Internet). Spoofed > packets need to be checked while _leaving_ a network. > > -- > Sanjeev Gupta > +65 98551208 http://www.linkedin.com/in/ghane > _______________________________________________ > pool mailing list > [email protected] > http://lists.ntp.org/listinfo/pool > _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
